TD Canada Trust made quite a splash recently when it launched its redesigned iPhone app which disabled pasting in the password field. Users who embrace password managers for their online security were quick to point out their … well, ‘unhappiness’ with this decision. TD Canada’s original response to those users was unsettling:

The original tweet has since been deleted by @TD_Canada.

For those of us who rely on 1Password (and other password managers) on a daily basis, this advice is completely cringe-worthy … unfortunately, it’s really not all that uncommon in the banking world. Many banking and financial sites implement restrictions on password length, require certain special characters to be present, and put in place various ‘security theatre’ measures on their websites that do little for increasing user security, while ultimately making it more difficult for users to rely on password managers to fill their complex passwords in on the site.

With the conversation about online security and banking so fresh in everyone’s minds, I thought now would be a great time to send a message out to banks and financial institutions everywhere to encourage them to to take users’ security more seriously. I’m writing this not only as a member of the 1Password team who deals with security issues on a daily basis, but also as a concerned customer who just wants simple and secure access to her data.

Dear banks,

I know that you have my best interests at heart.

I know that you’ve worked hard to put ‘safeguards’ into place (such as disabling pasting into password fields, obfuscating usernames, spreading the login process across multiple pages and “please input the nth character of your password” fields) to thwart various types of attacks.

But the truth is that these ‘security measures’ are not actually helping your users.

Do you know what would really help your users? Long, random passwords.

Using long, random, and unique passwords is the best defense that we, your users, have against attackers. This advice is true for every site we have to sign in to these days … and believe me, we sign in to a lot more than just our financial sites. Keeping 100 or so strong and unique passwords memorized is not only a silly suggestion, it’s nearly impossible for all but the most savant-ish of us. Password managers help us increase our security by remembering these unique passwords for us, keeping them stored securely, and filling them in on websites so we don’t have to.

Many of the ‘security measures’ you have put into place serve only to make it much more difficult for those of us who rely on password managers. Password managers are not your enemy here. In fact, encouraging the use of trusted password managers will do more for your users’ security than any of the measures you currently have in place.

You have an awesome opportunity here. Take the time to educate your users on the value of true security. Encourage users to adopt long, random, and unique passwords that never need to be stored in their brains. Make it easy for password managers to store and fill these secure passwords for your users (in web browsers as well as in mobile apps).

Now, it just so happens that there is a very simple way that you can give your users easy access to their banking data in your mobile apps. We’ve written an App Extension API that can be added to your iOS app in 3 easy steps. The app extension will allow users to select their password manager of choice and fill their complex passwords into your form, with no typing required.

1Password has been giving people control over passwords for almost 10 years now, and it truly is a wonderful thing. Our team built 1Password around the idea that being secure should never be compromised for convenience. We’ve been advocating for stronger, safer passwords for years, and we’d be so happy if you stood with us.

For now, passwords are a necessary evil. Remembering them shouldn’t have to be.

Please help us increase awareness of online security. Your users will be ever-so-grateful that you are taking their security seriously, and you’ll be making their lives a lot simpler too.

Signed, a hopeful user.

Since TD’s original response last week, they seem to have had a change of heart. A tweet from @TD_Canada on Saturday indicates that they are in fact working on an update that will allow copy and paste within their app … and possibly considering integrating password managers.

This is incredible news! Without seeing the update, it’s hard to know exactly what they have in store for users, but they have a great opportunity here to set the standard for banking apps and give other financial institutions a secure example to follow. I’m excited to see what they come out with!

My bank, Bell State Bank & Trust (https://www.bellbanks.com/), doesn’t allow pasting into the password field with their mobile app either. Needless to say, I don’t use the mobile app. I think I need to share this post with them.

Seems that big corporations tend to fail on security, even at the most basic level. TD and Virgin Mobile have both called me on the phone and asked to answer security questions, which I declined to do as those were outbound calls. I explained that it is a flaw in their security protocols to ask those questions on the outbound calls, and not even escalating the calls would make them understand on the breach. So anyway, maybe a letter to TD’s CTO explaining how they lack security at all levels.
Something so basic, it’s strange they don’t realize it.

I’ve heard of this happening with a number of banks, and agreed, it isn’t a particularly good security. I’m glad to hear you explained their mistake to them, and hopefully somebody somewhere read a report of the call and understood.

Citibank causes iCloud keychain to stumble and offer to save the masking asterisks as a new password.

I understand the motivation behind the 2-page login used by companies like Verizon, US Bank, etc. (as a verification that the customer has landed on he real page), but I completely agree with the author of the open letter, that such measures cause folks to reuse simple easy to remember/crack passwords.

“TD Canada Trust made quite a splash recently when it launched its redesigned iPhone app which disabled pasting in the password field”

It’s not just the password field, it’s also the username/access card field. And while previous versions of the app (for at least a couple of years now) have allowed pasting in both fields, you couldn’t log in when doing so…they wouldn’t authenticate. This meant that I couldn’t use the app…while typing the info in manually *might* have worked, my password has always been random and unmemorizable enough that it would have been too much of a PITA to switch back-and-forth between the app and the password manager.

“Many banking and financial sites implement restrictions … making it more difficult for users to rely on password managers to fill their complex passwords in on the site”

To be fair to TD, since I started banking on-line with them using my desktop computer more than a decade ago, I’ve always had a fairly strong password and logged onto their web site using a password manager. It could be longer and thus stronger, but it’s a randomly-generated string of uppercase, lowercase and numbers, so it isn’t easily crackable. It’s only their mobile app that’s been a PITA.

We’d love to help any apps integrate with our extension, not just financial institutions, so please feel free to share the article with the creators of any apps that could use our extension. The same details apply to everyone.

I started using 1Password a year ago and slowly migrated all 200+ of my accounts over to unique, long, randomly generated passwords. It’s been a challenge but well worth it.

I very much appreciate this open letter to banks. Financial apps and web sites are a real pain with regard to password management.

I’ve also been burned numerous times now by websites whose account creation frontend allows a long password while the backend system includes an unpublished length limit. So an account is successfully created, but I’m unable to access it later—login limbo. It leads to multiple experiments with password resets or sometimes abandoning an account and making an entirely new one. Could you also embark on a campaign to educate developers on the practical implications of long, secure passwords in interface and systems development?

That ‘login limbo’ has happened to me several times too. That’s a very poorly designed and poorly tested login system. It makes one wonder what else the developers screwed up. It’s only security after all.

Not to mention that for the longest time, passwords for TD’s EasyWeb were case-insensitive and subject to an eight-character maximum. I believe the case-insensitivity remains for users who haven’t explicitly updated their passwords recently.

I am a member of Westpac Australia. Their login process is horrible. It assigns you am eight digit user number (which can be autofilled) but cannot be changed. User hostile because it is not easy to remember random eight digit numbers.

The password can be a maximum of six characters, alphanumeric only, and not case sensitive. To enter it you have to move your mouse around on a virtual keyboard and click the appropriate keys. This cannot be autofilled, pasted into, and you cannot use your computer’s keyboard to enter the characters.

I have emailed Westpac AU to complain about this, their reply was that it is for my own security and prevented keylogging. They did not take my concerns of password strength seriously at all.

On the Mac, Keyboard Maestro has a nifty feature that lets you enter characters in a field by emulated typing rather than pasting. I wonder if there is any clipboard manager for mobiles that lets you do the same thing?

To a technically and security literate person, the things banks do about security sound insane, but it’s worth bearing in mind that banks are regulated industries and those regulations can hamper their efforts to offer customer-friendly features like support for password managers (I’m not saying regulation is bad, by the way – it’s very clearly needed).

Just like the automobile industry has to (at least try to) protect people who don’t wear seatbelts, banks have to protect people that will be lax with their passwords. They have to assume all of their customers are morons. That’s not hyperbole – the bank have to actually think like someone who doesn’t think, and the bank has a duty of care to protect them.

If someone used a password manager to protect their password, but the password manager had a password of “123”, the bank could be held liable by the regulator if the customer makes a complaint that someone accessed their account. It’s not even a matter of it standing up in court – it’s a regulatory issue and more often than not the regulator will slide with the customer.

The banks have to control the whole process between them and the customer. This is why in the early days banks only supported specific web browsers – they needed to ensure that they didn’t allow their customers to access their accounts via a means that they could not vouch for. Over time, the landscape changed, the banks and the regulators became more understanding of the technologies involved.

You do raise some good points. Hopefully the landscape has changed enough by now, though, to allow password managers to fill in banks’ mobile apps. TD’s more recent responses at least make me optimistic that this might happen.

Many banks choose to insure or indemnify their clients against online fraud. Specifying minimum requirements for passwords presumably reduces the risk of the passwords being broken. The banks can’t issue the clients with a random password to use, so they set some requirements to make it more difficult to guess or brute force.

If I have one password for a password manager, does that not decrease my security because once they crack one password they crack them all? I guess that is only a problem if they have my computer (or temp access to it), a Trojan on my computer, or if the password manager includes some type of web based access or secure online storage.

Minimum character length requirements are great. The problem is that many banks have ridiculously low minimum character lengths (thankfully not a problem with TD Canada Trust anymore), and some have even worse practices with MAXIMUM character lengths (for instance, one major bank here in Canada has a 6 character maximum character length for their online passwords).

The way password managers such as 1Password help is when banks do allow longer passwords, as they should, you don’t have to memorize the password, but can rather store it in a password manager. Yes, that does mean that there becomes a single point of possible failure if your password manager’s data gets cracked, which is why you want to make sure to use a good, strong Master Password to encrypt your passwords and other sensitive data.

Funny how banks, which are 100 percent at fault for the fraud perpetrated using Apple Pay, would choose to lecture people on password security. I’m going to keep this url for sending to those institutions which are blocking pasting. And I will change my bank if they choose to go that route.

We’d love to help any interested banks (or other apps!) integrate with our extension so that we can help everyone be more secure online, so please do share this letter with any institutions that you think need to read it.

The largest credit union in the U.S. is almost as bad. They use a Flash login! However, there is a non Flash login that they hide. The link looks like regular text but are actually hyper links to that login. But it will not work with 1P. You have to paste.
It’s nuts.

Flash logins are annoying, that’s for sure. Since they have a hidden non-Flash login, though, I’d be curious if there’s any workaround that we could look into. If you’re interested, please consider contacting our support team to see if there’s anything we can do. I can’t make any promises, but we want to make 1Password work with as many sites as possible so we’d definitely look into it.

It isn’t just limited to banks – Aetna prevents pasting passwords in their iOS app as well. The part that really sucks about it is that since they are the provider for my employer, I can’t really just use someone else. And one of their big “selling points” when we switched was their “amazing mobile app”…

It’s definitely frustrating when it’s an app that you have no choice but to use. This is one time when I won’t necessarily advise someone to send this letter to an app’s creator, since I don’t know what the consequences of that could be for you, professionally-speaking (although you’d know better than I could), but I certainly hope that they do come across it somehow and take it to heart.

DIRECTV does this in their iOS app. So I made my password very, very simple. And hackable. I hope someone hacked in and is watching HBOgo on my account because of this idiotic practice. And, of course, I hope they’re paying my bill.

I suppose that’s one way to go. Fortunately, DIRECTV doesn’t have your banking information in the account (although, not having an account, I don’t know if it has any other personal information available when logged in, so it’s not something I’d generally recommend).